MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 730cad1b268ed70bf04cd6b94439813a6483b69732420a6748a868376c08bea2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 730cad1b268ed70bf04cd6b94439813a6483b69732420a6748a868376c08bea2
SHA3-384 hash: 7f83f994a75011d5ee01a20ade136531035160022950ca51e8de730e8853f8992432f86ecd348c225a2e4de608db63ca
SHA1 hash: 9d1af69a68983d2b953e2ef7b3f13d2ceccff077
MD5 hash: 9ab786122462269d62d1a0fa5f5c7fb2
humanhash: rugby-beryllium-tennessee-sink
File name:9ab786122462269d62d1a0fa5f5c7fb2
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:621'568 bytes
First seen:2021-08-11 07:05:35 UTC
Last seen:2021-08-11 07:57:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:gvAifRibUt6pivnL6TvlJDbqsnJFkh2dP5uestgBd8jswXyQLV8:gYiJibTUL6pcGFkh2dP5Xstg0jswCQLV
Threatray 413 similar samples on MalwareBazaar
TLSH T122D42348B260D966C6D83136E2A7DEA087320BE1751DC70F47D62F9B392272EDF84356
dhash icon b168eae46c39d928 (9 x AgentTesla, 8 x SnakeKeylogger, 6 x BitRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9ab786122462269d62d1a0fa5f5c7fb2
Verdict:
Malicious activity
Analysis date:
2021-08-11 07:08:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/65f44f4f-93e1-4d15-8695-60c74f96c42a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178114/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.EZK.genEldorado.32467.29006.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
DNS request
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% directory
Creating a file
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc69c154-3b93-4646-9c46-79a6de06eeee
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830679
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Detected Remcos RAT
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Svchost Process
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 463106 Sample: C1SGsnaz6u Startdate: 11/08/2021 Architecture: WINDOWS Score: 100 86 github.com 2->86 88 eter103.dvrlists.com 2->88 90 avatars.githubusercontent.com 2->90 112 Malicious sample detected (through community Yara rule) 2->112 114 Multi AV Scanner detection for submitted file 2->114 116 Detected Remcos RAT 2->116 118 8 other signatures 2->118 10 C1SGsnaz6u.exe 4 9 2->10         started        14 outlook.exe 2->14         started        signatures3 process4 file5 64 C:\Users\user\AppData\Roaming\outlook.exe, PE32 10->64 dropped 66 C:\Users\user\AppData\...\C1SGsnaz6u.exe, PE32 10->66 dropped 68 C:\Users\user\AppData\...\_Lbroimcihpy.vbs, ASCII 10->68 dropped 70 2 other malicious files 10->70 dropped 120 Writes to foreign memory regions 10->120 122 Injects a PE file into a foreign processes 10->122 16 C1SGsnaz6u.exe 3 3 10->16         started        20 wscript.exe 1 10->20         started        22 powershell.exe 18 10->22         started        24 powershell.exe 19 10->24         started        124 Multi AV Scanner detection for dropped file 14->124 26 powershell.exe 14->26         started        28 powershell.exe 14->28         started        signatures6 process7 dnsIp8 72 eter103.dvrlists.com 79.134.225.71, 2050, 49719, 49737 FINK-TELECOM-SERVICESCH Switzerland 16->72 74 192.168.2.1 unknown unknown 16->74 76 eter101.dvrlists.com 16->76 102 Multi AV Scanner detection for dropped file 16->102 104 Detected unpacking (creates a PE file in dynamic memory) 16->104 106 Contains functionality to steal Chrome passwords or cookies 16->106 110 7 other signatures 16->110 30 svchost.exe 16->30         started        32 svchost.exe 16->32         started        34 svchost.exe 16->34         started        108 Wscript starts Powershell (via cmd or directly) 20->108 36 powershell.exe 20->36         started        78 2 other IPs or domains 22->78 38 conhost.exe 22->38         started        80 2 other IPs or domains 24->80 40 conhost.exe 24->40         started        82 2 other IPs or domains 26->82 42 conhost.exe 26->42         started        84 2 other IPs or domains 28->84 44 conhost.exe 28->44         started        signatures9 process10 process11 46 chrome.exe 30->46         started        49 chrome.exe 32->49         started        51 chrome.exe 32->51         started        53 chrome.exe 34->53         started        55 conhost.exe 36->55         started        dnsIp12 98 192.168.2.5, 2050, 443, 49464 unknown unknown 46->98 100 239.255.255.250 unknown Reserved 46->100 57 chrome.exe 46->57         started        60 chrome.exe 49->60         started        62 chrome.exe 51->62         started        process13 dnsIp14 92 googlehosted.l.googleusercontent.com 142.250.74.193, 443, 49745 GOOGLEUS United States 57->92 94 clients.l.google.com 142.250.74.206, 443, 49724, 61525 GOOGLEUS United States 57->94 96 8 other IPs or domains 57->96
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/730cad1b268ed70bf04cd6b94439813a6483b69732420a6748a868376c08bea2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 07:06:12 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=omgk2gzgr3lqx4cm224uiombhjsihnuxgjbauz2ivbudo3aix2ra._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
40ef0ea8d499ef74760da82a71c8cf548149e01826b62767c75431cc4cdad67f
RemcosRAT
62960caf3d007638be89631e502733f30c42a9ba0269e8c00457c9dec10e9136
RemcosRAT
b2beeab94f7cbc38143e2a050c263476419bb48d2ec37470df5b1ee0da812f50
RemcosRAT
d4d30acde6fa4db431b90817911b44d21c65fc1fa72744625bccafe3899869bc
RemcosRAT
d7511047d6d0127108e1cf026c3a8c7d5dbb860d62722371d4c3f65c3c1dc920
RemcosRAT
ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925
RemcosRAT
e391c863171dbe0a79e9ee01b3f221603e1dddb3938c3215980cd5b991578f4e
RemcosRAT
+ 403 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:august build persistence rat
Link:
https://tria.ge/reports/210811-hql59sap92/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
eter101.dvrlists.com:2050
eter103.dvrlists.com:2050
Unpacked files
SH256 hash:
3f611ac94429a8b670f5e8abb555d39959bbdf13ea786cda19d49f9bab3fc6e8
MD5 hash:
95dc82570418075210510226389f2154
SHA1 hash:
48205d3aeb0545682a7ea93c3e4b98e50bea22e1
Detections:
win_remcos_g0
Create hunting rule
Link:
https://www.unpac.me/results/182fbafa-ad79-4426-a456-9cf49e5995b7/
Parent samples :
ded1412f9509d9fbc0c48687c3611d6cd8356ff0f00a9a2c5836890a5df03925
730cad1b268ed70bf04cd6b94439813a6483b69732420a6748a868376c08bea2
SH256 hash:
13adbb09bac8eb97ebde9feaf113ff1aa6385600059e68ef62ea77ed75bf54c6
MD5 hash:
9892ff60d9ced5a66514ebd8c8284149
SHA1 hash:
4126eddb26e5afdb45633e35a9f23039bf2e942d
Link:
https://www.unpac.me/results/182fbafa-ad79-4426-a456-9cf49e5995b7/
SH256 hash:
2bb636bfb1738b9b7f798df19c7ed4e5e61ee9e0a692cd2e9c9f80459bdc4218
MD5 hash:
c7bb808c38bfaadf1cb91c5781ca6c43
SHA1 hash:
00b1182cc4e0f2e419f6d78406c84930e376a2da
Link:
https://www.unpac.me/results/182fbafa-ad79-4426-a456-9cf49e5995b7/
SH256 hash:
730cad1b268ed70bf04cd6b94439813a6483b69732420a6748a868376c08bea2
MD5 hash:
9ab786122462269d62d1a0fa5f5c7fb2
SHA1 hash:
9d1af69a68983d2b953e2ef7b3f13d2ceccff077
Link:
https://www.unpac.me/results/182fbafa-ad79-4426-a456-9cf49e5995b7/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/730cad1b268e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/730cad1b268ed70bf04cd6b94439813a6483b69732420a6748a868376c08bea2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 730cad1b268ed70bf04cd6b94439813a6483b69732420a6748a868376c08bea2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1506968/
  
URLhaus
https://urlhaus.abuse.ch/url/1453034/
Cape
Cape
https://www.capesandbox.com/analysis/178114/

Comments


Avatar
zbet commented on 2021-08-11 07:05:36 UTC

url : hxxp://augustair.com/log/remit/edi.exe